-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
metrics-server deployments cannot connect to kubelet InternalIP #2028
Comments
/close hi, this is probably caused by the fact that the kubelet that kubeadm starts is self-signing it's serving certificate. this issue outlines the problem better: this is the default kubelet behavior. there are also a workaround with a proxy, but i'm not sure how it's done exactly. |
@neolit123: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
this workaround i do not recommend: |
Set the arg |
Is this a BUG REPORT or FEATURE REQUEST?
BUG REPORT / FEATURE REQUEST
Versions
kubeadm version (use
kubeadm version
):kubeadm version: &version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.2", GitCommit:"59603c6e503c87169aea6106f57b9f242f64df89", GitTreeState:"clean", BuildDate:"2020-01-18T23:27:49Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
kubectl version
): v1.17.2uname -a
): 4.15.0-76-genericWhat happened?
In my environment, node hostnames are not resolvable, so communication must be done over InternalIP endpoints.
I installed metrics-server, modifying the deployment args to include
--kubelet-preferred-address-types=InternalIP
. metrics-server cannot collect metrics from the cluster's kubelets because of the errorunable to fetch metrics from Kubelet node1 (10.0.23.26): Get https://10.0.23.26:10250/stats/summary?only_cpu_and_memory=true: x509: cannot validate certificate for 10.0.23.26 because it doesn't contain any IP SANs]
I verified that the kubelet certs only include the hostname CN/SAN:
How to reproduce it (as minimally and precisely as possible)?
Deploy a cluster with kubeadm, then deploy metrics-server with the metrics-server-deployment arg
--kubelet-preferred-address-types=InternalIP
added. In order to see the IP SAN error shown above, the arg--v=3
must also be added, as the metrics-server default logging settings will not display it.Anything else we need to know?
kubernetes-sigs/metrics-server#196 - same issue, but does not specify whether kubeadm was used to deploy the cluster.
There are numerous other issues outlining similar issues with metrics-server connecting to kubelet, some of which appear to be IP SAN related, ie many people who changed the preferred address types to InternalIP, and then had to add
--kubelet-insecure-tls
to get metrics-server working. Many commenters don't directly call out the IP SAN issue, probably because metrics-server logging settings do not display it by default.kubernetes-sigs/metrics-server#131
specifically metrics-server is suggesting that the node should contain an IP SAN in this situation:
kubernetes-sigs/metrics-server#131 (comment)
The text was updated successfully, but these errors were encountered: